Device Code Phishing: 37x Spike, 18 Kits, Every Major PhaaS Platform Shipping It — The MFA Bypass That Survives Password Resets Is Now a Criminal Commodity
At the start of 2026, device code phishing was a niche Russian espionage technique. Six months later: 18 kits in circulation, 37.5x detection spike, every major AiTM PhaaS platform shipping it as a standard feature. It bypasses every legacy MFA method — TOTP, push, SMS — and delivers OAuth tokens that survive password resets. EvilTokens, AI-built and Telegram-distributed, is the dominant kit. The FBI issued an advisory on Kali365. Your Conditional Access policy doesn’t block it by default.